Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2015
    S M T W T F S
    « Jan    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rainer Link (Senior Threat Researcher)

    A new WORM_NUWAR.CQ variant (filename: postcard.exe, 50,648 bytes) is spreading since yesterday night. This worm is detected since CPR 4.250.01. Once again, faked bills with the subject “KD Webshop Bestellung ” are seeded. Attached is the file “rechnung.exe” (file size: 8.522 bytes), which is detected by IntelliTrap as PAK_Generic.001. Detection will be available in the upcoming CPR as TROJ_YABE.BK. Faked “1&1″ bills are seeded, too. Attachment name is “” (file size: 7.016 bytes), which will be detected as TROJ_YABE.BL. As usual, don’t click on .exe files, and, if possible block .exe files in general on your email server or gateway.

    Posted in Bad Sites | Comments Off

    Since 31/01 late afternoon, faked eMails appearing to be from the BKA (Germany’s Federal Criminal Police Office) are being spammed within Germany. The subject of such eMails are “Ermittlungsverfahren Nr. [number]”, where [number] is a random number. The email attachment is an EXE-file (e.g. 2981956.exe), which is detected as TROJ_DLOADER.KHZ. This trojan downloads another malware, which is detected as TSPY_BZUB.GK. If you receive such an email, just delete it. As a general advise for a corporate environment please block all .exe or .com files, if possible. The BKA issued a PR on this issue. If you assume your computer is already infected, you’re welcome to use our free online-scanner HouseCall.

    Posted in Bad Sites | Comments Off

    11:32 am (UTC-7)   |    by

    There is a new Yahoo phising site spotted located at It spoofs the Yahoo!Photos site.
    Below is a snapshot of the site. Just click the picture for a fuller view.

    The site has already been submitted to Web Blocking Team.
    Posted in Bad Sites | Comments Off

    There are reports of a zero-day exploit code out in the wild for client side RealPlayer and Helix Player. A format string vulnerability found in the said media players can be exploited to execute malicious codes in the affected system. A specially crafted media, which include the .RP (realpix) and the .RT (realtext) file formats, can trigger the vulnerability.

    It is also quoted in the exploit code that RealPlayer was informed about the vulnerability. However, the exploit code was released to the public before RealPlayer came up with a patch for the problem. The author of the exploit apologized for the untimely release of the code as quoted below.

    “Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry!

    Moral of the story, don’t talk about personal research on IRC. Thank you plagiarizers”

    Posted in Bad Sites | Comments Off

    Hearing Ben Edelman speak about tricky EULAs and the legalities of these contracts yesterday made me realize that these programs can’t twist our arm. They cannot sue clients who uninstalled the bundled spyware from their systems (while retaining the program of choice) just because the EULA specified otherwise. He said that the purpose of these EULAs are not really for clients but for antispyware companies, to give us second thoughts in tagging these products as spyware. But as a client, what can you do? Ben says that you have every right to know what is installed in your PC because that is your territory. And some cases, the installation details are already in the EULA… you just have to read all of it! Or do you really have to?

    Enter the EULAlyzer… It’s not really your super-savvy tool that can determine that the package that you are installing is totally hogwash, but it is quite useful for us who are allergic to reading gazillions of pages of EULAs. It’s also dons a very user-friendly interface.


    Here’s a walkthrough in EULAlyzing Grokster:

    I get to the Grokster License agreement… And my allergies start showing

    I open the EULAlyzer and drag the crosshair to the text area of Grokster’s EULA.. and it’s ready to be EULAlyzed!

    Then, I click the analyze button and some strings get flagged…

    Then, I expand the “+” on the left side of the flagged text and check out the sneaky things

    And somehow I’m not so happy anymore… Oh well, I still need to read the EULA to verify the context of the statements flagged by the EULAlyzer, but hey, at least I already got a glimpse of those sneaky things and I have an idea of what I’m putting into my PC. And I can even save the sneaky EULA for future purposes.

    Note: The EULAlyzer is a product of Javacool Software LLC. You can read more about this and download it fromtheir site.

    Thanks to Mr. Daves Espia for the Heads up.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice